Fórum Ubuntu CZ/SK
Ubuntu pro osobní počítače => Internet a sítě => Téma založeno: RomanFic 15 Ledna 2017, 11:56:53
-
Ahoj.
Předem děkuji za jakoukoliv pomoc, která povede k úspěšnému vyřešení. Nevím si rady asi s routováním.
Čeho chci dosáhnout:
Potřebuji z jakékoliv adresy ve VPN projít až do sítě, která je za klientem OpenVPN.
Schéma:
===================== =====================
| | | |
| Cloud server 1 | | Cloud server 2 |
| DEBIAN | | DEBIAN |
| OpenVPN server | -> | OpenVPN client |
| 10.231.0.1/24 | | 10.231.0.2/24 |
| | | |
===================== =====================
|
v
===========================
| |
| Router doma |
| |
| DEBIAN |
| OpenVPN client |
| 10.231.0.3/24 |
| |
| inet eth0 |
| eth0 192.168.1.10/24 |
| |
| local subnet |
| eth1 192.168.254.254/24 |
| |
===========================
| |
v v
================== ==================
| PC1 | | PC2 |
| 192.168.254.100| | 192.168.254.101|
================== ==================
Co funguje a nefunguje:
Cloud server 1 10.231.0.1 -> Router doma 10.231.0.3 = Ping OK
Cloud server 1 10.231.0.1 -> Router doma 192.168.1.10 = Ping OK
Cloud server 1 10.231.0.1 -> Router doma 192.168.254.254 = Ping OK
Cloud server 1 10.231.0.1 -> PC1 192.168.254.101 = Ping neprojde
Cloud server 1 10.231.0.1 -> PC1 192.168.254.102 = Ping neprojde
Cloud server 2 10.231.0.2 -> Router doma 10.231.0.3 = Ping OK
Cloud server 2 10.231.0.2 -> Router doma 192.168.1.10 = Ping OK
Cloud server 2 10.231.0.2 -> Router doma 192.168.254.254 = Ping OK
Cloud server 2 10.231.0.2 -> PC1 192.168.254.101 = Ping neprojde
Cloud server 2 10.231.0.2 -> PC1 192.168.254.102 = Ping neprojde
Dostanu se až na eth1, síť 192.168.254.0/24 je na OpenVPN serveru v ccd, ale nedostanu se za něj, tak předpokládám, že mi něco chybí na IPTABLES na Router doma.
Děkuji za nakopnutí směrem dopředu.
Roman
EDIT:
Teď jsem si všiml, že mám v popisu sítě chybu. Router doma má IP 10.231.0.3/24, chybně jsem uvedl 10.231.0.2/24.
-
Chtělo by to vidět routovací tabulky jak na klientovi, tak na serveru.
Od věci by nebyl ani výpis iptables.
Máte zapnutou ARP proxy a forwarding?
-
Děkuji za reakci. IPTABLES berte s obrouvskou rezrevou. Mám to ve stavu pokusu a omylu..
ARP jsem zapnutý neměl, forwarding ano.
Routovací tabulka Cloud server 1
Destination Gateway Genmask Flags Metric Ref Use Iface
default smart5.forpsi.n 0.0.0.0 UG 0 0 0 eth0
10.231.0.0 * 255.255.255.0 U 0 0 0 tun3
81.2.241.0 * 255.255.255.0 U 0 0 0 eth0
192.168.1.0 10.231.0.1 255.255.255.0 UG 0 0 0 tun3
192.168.3.0 * 255.255.255.0 U 0 0 0 tun1
192.168.250.0 * 255.255.255.0 U 0 0 0 tun2
192.168.254.0 10.231.0.1 255.255.255.0 UG 0 0 0 tun3
IPTABLES CLoud server 1
Chain INPUT (policy ACCEPT 1405K packets, 171M bytes)
pkts bytes target prot opt in out source destination
560 92871 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
19855 834K ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:25201
57 2394 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1194
33 1620 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1294
5382 258K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
11606 639K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
5374 287K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38296 3630K ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
38327 60M ACCEPT all -- eth0 tun+ 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- tun1 tun3 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- tun3 tun1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 1091K packets, 1304M bytes)
pkts bytes target prot opt in out source destination
Routovací tabulka Router doma
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
10.231.0.0 * 255.255.255.0 U 0 0 0 tun0
link-local * 255.255.0.0 U 1000 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.3.0 10.231.0.1 255.255.255.0 UG 0 0 0 tun0
192.168.254.0 * 255.255.255.0 U 0 0 0 eth1
IPTABLES Router doma
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
14314 1317K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 60 ACCEPT tcp -- eth1 * 192.168.254.0/24 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
12 1008 ACCEPT all -- tun0 * 10.231.0.0/24 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53
7980 968K LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2305K 3558M ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
641K 111M ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 eth1 10.231.0.0/24 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth1 192.168.3.0/24 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0 10.231.0.0/24 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0 192.168.3.0/24 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 tun0 0.0.0.0/0 10.231.0.0/24 state NEW,ESTABLISHED
0 0 ACCEPT all -- eth1 tun0 0.0.0.0/0 10.231.0.0/24 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 10.231.0.0/24 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 192.168.254.0/24 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 tun0 0.0.0.0/0 192.168.3.0/24 state NEW,RELATED,ESTABLISHED
1491 125K LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
652 200K ACCEPT tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
50 3370 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53
11941 1003K ACCEPT udp -- * eth0 0.0.0.0/0 81.2.241.253 udp dpt:25201
0 0 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0 icmptype 0
4 192 ACCEPT icmp -- * eth1 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * eth1 0.0.0.0/0 0.0.0.0/0 icmptype 0
47 3948 ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0
818 218K LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOGGING (3 references)
pkts bytes target prot opt in out source destination
1602 203K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 5 LOG flags 0 level 4 prefix "IPTables-Dropped: "
10289 1312K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
-
Chtělo by si to vybrat jen jednu trasu a tu pak vyzkoušet a rozběhat, nedělat moc věcí dohromady.
Ten 192.168.254.254/24 je zadaný jako GW pro PC1 a PC2?
-
Já vím. .. ale.. Mám v tom ted trochu binec, proto píšu, berte s rezervou. Momentalně potřebuji rychle dotahnout to směrování.
Ano to je GW pro ty dva PC.
-
Pak musí být na 192.168.254.254 /proc/sys/net/ipv4/conf/all/proxy_arp = 1, to samé platí pro forwarding
Ping z PC1-2 na Cloud 1-2 funguje?
-
ARP jsem včera zapnul, ale žádná změna, firewall na stanici žádný, pouze nekonfigurovaný IPTABLES.
Na cloud servery je ping bez problému.
Roman
-
Tak už jsem na to přišel. Na IPTABLES Router doma jsem měl chybu:
0 0 ACCEPT all -- tun0 eth1 10.231.0.0/24 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth1 192.168.3.0/24 0.0.0.0/0 state RELATED,ESTABLISHED
nahradil jsem to:
0 0 ACCEPT all -- tun0 eth1 10.231.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- tun0 eth1 192.168.3.0/24 0.0.0.0/0
A ono se to rozjelo. Děkuji za pomoc.
Roman
-
Aha, toho jsem si fakt nevšiml :)
Super, že to jede.